This is my PERSONAL blog, as as of August 1, 2011, it focuses on personal matters and various things I find to be fun.

Tuesday, August 11, 2009

A Myth of An Expert Generalist

In the future, it will become clear why I am writing this... For now, please treat this as some random analysis of our profession as well as of the dreaded definition of “a security expert.” Some might say it is a rant, but I prefer to tag it as “musings.”

Lately I’ve run into too many people who [claim to] “know security” or are [claim to be] “security experts.” Now, as some of you recall, I used to do theoretical particle physics before I came to information security. In my physics days, I’d be pretty shocked if I were to meet a colleague in the hallways of the C.N. Yang Institute for Theoretical Physics who would self-identify as “a scientist” or, for that matter, even as “a physicist.” It is overwhelmingly more likely that he would say “quantum chromodynamics” or “lepton number violation in electroweak gauge theories” or “self-ionization of the vacuum” or some such fun thing :-) However, as we all know, some folks in our industry have no shame introducing themselves to a colleague as “security experts.”

So, you are “a security expert.” Awesome, happy to hear it! Please let me know whether you are Case A or Case B.

Case A: you know more than an average person on the street about every single area (or many, many areas) of information security: from ISO27001 to secure coding in Ruby?

Let’s see which one is consistent with how people in other professions define “expertise.” The obvious start is Wikipedia. As of today, http://en.wikipedia.org/wiki/Expert entry says:

“An expert is someone widely recognized as a reliable source of technique or skill whose faculty for judging or deciding rightly, justly, or wisely is accorded authority and status by their peers or the public in a specific well distinguished domain. An expert, more generally, is a person with extensive knowledge or ability in a particular area of study.”

Other sources (such as Google “define:expert”) present similar results; expert can only be an expert in a specific narrow area.

Now, notice that the farther you are from a certain area, the more it seems like a narrow one (example: “science” to a average janitor is a narrow area). On the contrary, the deeper you are inside a particular area , the more it seems like a wide area (example: “brain tumor surgery” to a neurosurgeon is a broad area or “quantum gravity” to a physicist).

Despite such relativism, other professions somehow managed to converge on their definitions of “an expert.” After all, you don’t get to “enjoy” a neurosurgery from somebody who “knows more about medicine than an average layperson.” However, as we all know, many organizations “enjoy” having their NIDS tuned by a just-hired CISSP (aka proof of being “a light-year wide and a nanometer deep” in security :-)). What’s up with that?

I think this has a lot to do with the fact that the area of security is too new and too fuzzy. However, my point here is that a little common sense goes a long way even at this stage of our industry development. In light of this, next time you meet “a security expert,” ask him what is his area of expertise. If the answer is “security”, run! :-)

Finally, career advice for those new to information security: don’t be a generalist. If you have to be a security generalist, be a “generalist specialist;” namely, know a bit about everything PLUS know a lot about something OR know a lot about “several somethings.” If you ONLY know “a bit about everything,” you’d probably die hungry...

About Me

He is a recognized security expert in the field of log management and PCI DSS compliance. He is an author of books "Security Warrior", "PCI Compliance", "Logging and Log Management" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and others. Anton has published dozens of papers on log management, correlation, data analysis, PCI DSS, security management, honeypots, etc . His blog securitywarrior.org was one of the most popular in the industry.

In addition, Anton teaches classes (including his own SANS class on log management) and presents at many security conferences across the world; he recently addressed audiences in United States, UK, Singapore, Spain, Russia and other countries. He worked on emerging security standards and served on the advisory boards of several security start-ups.

Before joining Gartner in 2011, Anton was running his own security consulting practice www.securitywarriorconsulting.com, focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations. Dr. Anton Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging Evangelist, tasked with educating the world about the importance of logging for security, compliance and operations. Before LogLogic, Anton was employed by a security vendor in a strategic product management role. Anton earned his Ph.D. degree from Stony Brook University.